I’ve got a use case that I would imagine would be fairly common, but I can’t seem to be able to figure out a solution for:
I’ve got a field on the user type, we’ll call it “access code”, that is private. This field is used to obtain “personal data” from an external API call, as well as to make changes to data on that API. As a result, this field needs to be private to each user via privacy rules.
However, other users need to be able to view a user’s “personal data”, but only if that user shares it with them. Users should never be able to make changes to another user’s personal data.
As a result, an API workflow needs to run without privacy rules to use a user’s access code to retrieve their personal data and serve it to another user. Unfortunately, the “return Data from API Workflow” action can’t be accessed directly from the app, at least through the “schedule an API workflow” call.
So I wrote an API call to call the app’s own API workflows and return the data. However, I can’t figure out how to make this call authenticated as the current user. I can use an API key from the bubble settings, but this will run as an admin user, which doesn’t allow for restricting access to personal data based on whether it has been shared.
Has anyone used API workflows to retrieve data on behalf of another user before? How can I make this work without exposing access codes or personal data to any malicious and competent user?